CCM-10257: Implement Eventpub in Core

jamesthompson26-nhs · jamesthompson26-nhs · commit af8817bc6a49 · 2025-06-02T11:34:58.000+01:00
diff --git a/infrastructure/modules/eventpub/README.md b/infrastructure/modules/eventpub/README.md
@@ -22,6 +22,7 @@
 | <a name="input_event_cache_buffer_interval"></a> [event\_cache\_buffer\_interval](#input\_event\_cache\_buffer\_interval) | The buffer interval for data firehose | `number` | `500` | no |
 | <a name="input_event_cache_expiry_days"></a> [event\_cache\_expiry\_days](#input\_event\_cache\_expiry\_days) | s3 archiving expiry in days | `number` | `30` | no |
 | <a name="input_group"></a> [group](#input\_group) | The name of the tfscaffold group | `string` | `null` | no |
+| <a name="input_iam_permissions_boundary_arn"></a> [iam\_permissions\_boundary\_arn](#input\_iam\_permissions\_boundary\_arn) | The ARN of the permissions boundary to use for the IAM role | `string` | `null` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key arn to use for this function | `string` | n/a | yes |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels | `string` | `"WARN"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events generated by the lambda function | `number` | n/a | yes |
diff --git a/infrastructure/modules/eventpub/iam_role_firehose_role.tf b/infrastructure/modules/eventpub/iam_role_firehose_role.tf
@@ -1,8 +1,9 @@
 resource "aws_iam_role" "firehose_role" {
   count = var.enable_event_cache ? 1 : 0
 
-  name               = "${local.csi}-firehose-role"
-  assume_role_policy = data.aws_iam_policy_document.firehose_assume_role[0].json
+  name                 = "${local.csi}-firehose-role"
+  assume_role_policy   = data.aws_iam_policy_document.firehose_assume_role[0].json
+  permissions_boundary = var.iam_permissions_boundary_arn != null ? var.iam_permissions_boundary_arn : null
 }
 
 data "aws_iam_policy_document" "firehose_assume_role" {
diff --git a/infrastructure/modules/eventpub/iam_role_lambda.tf b/infrastructure/modules/eventpub/iam_role_lambda.tf
@@ -1,6 +1,7 @@
 resource "aws_iam_role" "lambda" {
-  name               = local.csi
-  assume_role_policy = data.aws_iam_policy_document.lambda_assumerole.json
+  name                 = local.csi
+  assume_role_policy   = data.aws_iam_policy_document.lambda_assumerole.json
+  permissions_boundary = var.iam_permissions_boundary_arn != null ? var.iam_permissions_boundary_arn : null
 }
 
 resource "aws_iam_policy" "lambda" {
diff --git a/infrastructure/modules/eventpub/iam_role_sns.tf b/infrastructure/modules/eventpub/iam_role_sns.tf
@@ -1,6 +1,7 @@
 resource "aws_iam_role" "sns_role" {
-  name               = "${local.csi}-sns-role"
-  assume_role_policy = data.aws_iam_policy_document.sns_assume_role.json
+  name                 = "${local.csi}-sns-role"
+  assume_role_policy   = data.aws_iam_policy_document.sns_assume_role.json
+  permissions_boundary = var.iam_permissions_boundary_arn != null ? var.iam_permissions_boundary_arn : null
 }
 
 resource "aws_iam_policy" "firehose_delivery" {
diff --git a/infrastructure/modules/eventpub/iam_role_sns_delivery_logging.tf b/infrastructure/modules/eventpub/iam_role_sns_delivery_logging.tf
@@ -1,8 +1,9 @@
 resource "aws_iam_role" "sns_delivery_logging_role" {
   count = var.enable_sns_delivery_logging ? 1 : 0
 
-  name               = "${local.csi}-sns-delivery-logging"
-  assume_role_policy = data.aws_iam_policy_document.sns_delivery_logging_assume_role[0].json
+  name                 = "${local.csi}-sns-delivery-logging"
+  assume_role_policy   = data.aws_iam_policy_document.sns_delivery_logging_assume_role[0].json
+  permissions_boundary = var.iam_permissions_boundary_arn != null ? var.iam_permissions_boundary_arn : null
 }
 
 data "aws_iam_policy_document" "sns_delivery_logging_assume_role" {
diff --git a/infrastructure/modules/eventpub/lambda_function.tf b/infrastructure/modules/eventpub/lambda_function.tf
@@ -4,7 +4,7 @@ resource "aws_lambda_function" "main" {
 
   role        = aws_iam_role.lambda.arn
   handler     = "index.handler"
-  runtime     = "nodejs22.x"
+  runtime     = "nodejs20.x" #change to nodejs22.x once core update done
   publish     = true
   memory_size = 128
   timeout     = 20
diff --git a/infrastructure/modules/eventpub/variables.tf b/infrastructure/modules/eventpub/variables.tf
@@ -108,3 +108,9 @@ variable "control_plane_bus_arn" {
   type        = string
   description = "Data plane event bus arn"
 }
+
+variable "iam_permissions_boundary_arn" {
+  type        = string
+  description = "The ARN of the permissions boundary to use for the IAM role"
+  default     = null
+}

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`resource "aws_iam_role" "lambda" {`
`2`		`- name = local.csi`
`3`		`- assume_role_policy = data.aws_iam_policy_document.lambda_assumerole.json`
	`2`	`+ name = local.csi`
	`3`	`+ assume_role_policy = data.aws_iam_policy_document.lambda_assumerole.json`
	`4`	`+ permissions_boundary = var.iam_permissions_boundary_arn != null ? var.iam_permissions_boundary_arn : null`
`4`	`5`	`}`
`5`	`6`
`6`	`7`	`resource "aws_iam_policy" "lambda" {`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`resource "aws_iam_role" "sns_role" {`
`2`		`- name = "${local.csi}-sns-role"`
`3`		`- assume_role_policy = data.aws_iam_policy_document.sns_assume_role.json`
	`2`	`+ name = "${local.csi}-sns-role"`
	`3`	`+ assume_role_policy = data.aws_iam_policy_document.sns_assume_role.json`
	`4`	`+ permissions_boundary = var.iam_permissions_boundary_arn != null ? var.iam_permissions_boundary_arn : null`
`4`	`5`	`}`
`5`	`6`
`6`	`7`	`resource "aws_iam_policy" "firehose_delivery" {`